Analysis
-
max time kernel
101s -
max time network
44s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-06-2021 14:55
Static task
static1
Behavioral task
behavioral1
Sample
order-06.010.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
order-06.010.2021.doc
Resource
win10v20210410
General
-
Target
order-06.010.2021.doc
-
Size
45KB
-
MD5
08bfdea676168b15bcbc8d1dfef36e77
-
SHA1
e07427f180773ef0b2709298c276e70dcac94058
-
SHA256
fa822b09cf153f7e38073e0f6a78795af2ec6620d0fd4a88d0b9226f0a0c3448
-
SHA512
a6bc65a833c4f5f1ba9148d5a324773f6bcaf609ee0a541e42bcbdf41fb826491861cc304809626dfd4c1bca026ace9bc910726a90dba861363e3e40571ab4f6
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1848 1072 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 7 1764 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1752 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1072 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE 1072 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exedescription pid process target process PID 1072 wrote to memory of 1848 1072 WINWORD.EXE explorer.exe PID 1072 wrote to memory of 1848 1072 WINWORD.EXE explorer.exe PID 1072 wrote to memory of 1848 1072 WINWORD.EXE explorer.exe PID 1072 wrote to memory of 1848 1072 WINWORD.EXE explorer.exe PID 1776 wrote to memory of 1764 1776 explorer.exe mshta.exe PID 1776 wrote to memory of 1764 1776 explorer.exe mshta.exe PID 1776 wrote to memory of 1764 1776 explorer.exe mshta.exe PID 1776 wrote to memory of 1764 1776 explorer.exe mshta.exe PID 1072 wrote to memory of 1380 1072 WINWORD.EXE splwow64.exe PID 1072 wrote to memory of 1380 1072 WINWORD.EXE splwow64.exe PID 1072 wrote to memory of 1380 1072 WINWORD.EXE splwow64.exe PID 1072 wrote to memory of 1380 1072 WINWORD.EXE splwow64.exe PID 1764 wrote to memory of 1752 1764 mshta.exe regsvr32.exe PID 1764 wrote to memory of 1752 1764 mshta.exe regsvr32.exe PID 1764 wrote to memory of 1752 1764 mshta.exe regsvr32.exe PID 1764 wrote to memory of 1752 1764 mshta.exe regsvr32.exe PID 1764 wrote to memory of 1752 1764 mshta.exe regsvr32.exe PID 1764 wrote to memory of 1752 1764 mshta.exe regsvr32.exe PID 1764 wrote to memory of 1752 1764 mshta.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order-06.010.2021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" c:\programdata\repoLnk.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\repoLnk.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\repoLnk.jpg3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\repoLnk.htaMD5
f490f8cb8e5e5e86da051604e206c425
SHA1e988db88aece30bcc54237e6979a45dfe7583547
SHA25683c9087f95215506ccf40f1566692f4c75326d5a637c01c364dd3068e26cdd26
SHA5126504820da57375e20a5ff840e78d149d997b6591d15b229fedcdce66f351308699a9cacc423e3ae88dc4fd3295bc821d553f215f1d3da8d39b17021451e5f01f
-
\??\c:\users\public\repoLnk.jpgMD5
8d8ea9bf2fa6b8e8069780321b72d358
SHA1ad8f64449bc128647574f208b3e58d4840f64240
SHA2564c6ecbce8dab3b4b29274d3f58f7023a6322df5e469d8de6d24571bcff642714
SHA512eda568a6d34940132e1426f6cd3e597519e8f80847e0bc540cc541f37dee9e456e8395fa3b2ac544e55584eaea9b481baf7402d3f8cc1a299e907e83fb035318
-
\Users\Public\repoLnk.jpgMD5
8d8ea9bf2fa6b8e8069780321b72d358
SHA1ad8f64449bc128647574f208b3e58d4840f64240
SHA2564c6ecbce8dab3b4b29274d3f58f7023a6322df5e469d8de6d24571bcff642714
SHA512eda568a6d34940132e1426f6cd3e597519e8f80847e0bc540cc541f37dee9e456e8395fa3b2ac544e55584eaea9b481baf7402d3f8cc1a299e907e83fb035318
-
memory/1072-60-0x000000006FE01000-0x000000006FE03000-memory.dmpFilesize
8KB
-
memory/1072-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1072-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1072-59-0x0000000072381000-0x0000000072384000-memory.dmpFilesize
12KB
-
memory/1380-67-0x0000000000000000-mapping.dmp
-
memory/1752-73-0x0000000067750000-0x000000006775D000-memory.dmpFilesize
52KB
-
memory/1752-70-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1752-69-0x0000000000000000-mapping.dmp
-
memory/1752-74-0x0000000067750000-0x00000000677FF000-memory.dmpFilesize
700KB
-
memory/1752-75-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1764-66-0x0000000000000000-mapping.dmp
-
memory/1848-63-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/1848-62-0x0000000000000000-mapping.dmp